Quote: an unprivileged process can only cause upward data flow that remains below all pertinent ceilings; enforce by rules on security labels

security by secure domains

The [security] label of an entity x (process, … is denoted C(x). … [p. 675] Data flow results from system calls. In … flows from source x to destination y, it … x (or y) belongs to file system z, … x must satisfy L(x,t_1) <= L(x,t_2) for t_1<=t_2. … The ceiling of a mounted file system cannot …   Google-1   Google-2

